OT: Root access policy

Carl Johnson carlj at peak.org
Thu Dec 29 17:15:49 UTC 2011

Damien Fleuriot <ml at my.gd> writes:

> On 12/29/11 10:58 AM, Polytropon wrote:
>> On Thu, 29 Dec 2011 04:01:42 -0500, Irk Ed wrote:
>>> For the first time, a customer is asking me for root access to said
>>> customer's servers.
>>> Assuming that I'll be asked to continue administering said servers, I guess
>>> I should at least enable accounting...
>> You could have better success using sudo. Make sure
>> the customer is allowed to "sudo <command>". The
>> sudo program will log _all_ things the customer
>> does, so you can be sure you can review actions.
>> Furthermore you don't need to give him the _real_
>> root password. He won't be able to "su root" or
>> to login as root, _real_ root. But he can use
>> the "sudo" prefix to issue commands "with root
>> privileges".
> "sudo su -" or "sudo sh" and the customer gets a native root shell which
> does *not* log commands !

The sudoers manpage mention the noexec option which is designed to help
with the first problem.  They also show an example using !SHELLS which
can help with the second.

Carl Johnson		carlj at peak.org

More information about the freebsd-questions mailing list